View this email in your browser

CISO Series Podcast
The Post-it Note Clearly Says “Don’t Share” Right Under My Password

How do you manage the risk introduced by your own staff? This can range from having written passwords in plain sight to using insecure operating systems on BYOD devices. Staff can show almost as much creativity as threat actors when it comes to putting an organization at risk. But how do you quantify and start to remediate the risks they introduce?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Allan Alford, CISO,Eclypsium.

Evolving public-private partnerships

Public-private partnerships are not new in cybersecurity, they’ve been around for years. But there is a misconception that such partnerships just involve the government sharing classified threat intelligence with private companies, pointed out Christopher Whyte at CSO Online. The reality is there are existing collaborations, such as CISA's architecture guides and NIST’s Cyber Security Framework, which were developed through public-private partnerships. Private companies can play a role in strengthening these partnerships, especially in areas like open source, where private industry is doing a lot of the heavy lifting. 

New technology, but not a new challenge

With the breakneck pace of development for new LLM-based tools, how can we keep pace with risk assessments? A recent piece by George Hammond in the Financial Times painted a bleak picture. While the emergence of LLMs might be a sea change in tooling, we’ve dealt with this risk assessment challenge before. It’s easy to forget that the PC revolution and the rise of the internet proved equally rapid and disruptive. New technology brings about fears of unmanageable risks. Fortunately, the security industry has adapted its approach each time. With LLMs, the key is to identify the new risk categories, such as data leakage and hallucinations (that data it returns that is simply wrong although it presents it as correct). Existing solutions like data loss prevention (DLP) and human oversight can help mitigate these risks. We don’t need to reinvent the risk management wheel for LLMs.

Securing the hidden layers of the supply chain

With recent high-profile attacks on critical infrastructure, supply chain security has never been a hotter topic. But often discussions in this area are too narrowly focused on software and open-source libraries. This risks organizations not taking a holistic approach that considers the entire supply chain, including hardware components, firmware, and BIOS. These elements can be compromised during manufacturing or through counterfeit parts, but haven’t gotten as much high-profile coverage of late. Supply chain security might be getting the attention it has long deserved, but we can’t be blinded by recency bias. 

Balancing usability and control

Employees inevitably introduce risk to an organization. Every security professional realizes this, but that doesn’t mean it isn’t frustrating. A recent post on the cybersecurity subreddit rounded up some of the biggest offenders. These include putting confidential data on personal devices, bypassing security measures to send sensitive information, and leaving computers unlocked. While these behaviors are problematic, always keep in mind that security measures shouldn't impede employee productivity. CISOs need to have an eye for user-friendly security solutions and design controls that consider how employees are evaluated at work. If security can complement productivity, it makes buy-in and compliance much easier.  

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Listen to the episode.

Thanks to our podcast sponsor, Eclypsium

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

What Makes a Successful CISO?

"That's the secret sauce that we as CISOs have to, security leaders have to accomplish, to combine the balance between allowing the business to move as fast as possible, but to provide the business with the risk context of what it means to move in the pace that they are looking to do." - Tomer Gershoni, former CSO, Zoominfo.

Listen to full episode of "What Makes a Successful CISO?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bil Harmer, operating partner and CISO, Craft Ventures.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
How Does Generative AI Help and Hurt Cybersecurity?

Everyone is asking the same questions when it comes to generative AI. People want to know how to harness it for good and how can we make sure employees are using it appropriately at work. The latter requires visibility, something sorely lacking in the space right now, notes Russell Spitler, CEO and co-founder, Nudge Security.

That's what we'll be discussing on “Hacking Generative AI Anxiety: An hour of critical thinking about how to create constructive outlets around this technology” that will be happening this Friday, 06-21-24, on Super Cyber Friday.

Joining Russell and I for the discussion this Friday will be Jay Wilson, CISO, Insurity.

Register for June 21th, 2024 Super Cyber Friday "Hacking Generative AI Anxiety"

Thanks to our Super Cyber Friday sponsor, Nudge Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.